Changes to California’s Data Breach Notification Requirements

Thursday, October 22, 2015

On October 6, 2015, California Governor Jerry Brown signed three new laws which substantially alter and expand the state’s security breach notification requirements. The new changes to California Civil Code sections 1798.29 and 1798.82, the Golden State’s laws that require notifications by state agencies and private sector entities of certain breaches of security (i) provide a definition for encryption, (ii) establish new requirements for the content and form of breach notifications, and (iii) add license plate information gathered through automated license plate recognition (ALPR) systems to the definition of personal information subject to the state’s notification requirements. These changes become effective January 1, 2016.

When is Personal Information Considered “Encrypted”

Under California’s current law, if personal information is “encrypted,” the notification requirements will not apply. Until now, the law had not defined when personal information would be considered to be “encrypted.” Assembly Bill 964amends California Civil Code sections 1798.29 and 1798.82 to provide a definition for this previously undefined term. With passage of the amendment, the term “encrypted” is now defined as “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.” This language seems to allow for flexibility in the types of encryption that can be applied, as well as for future changes in encryption technology. For more information on encryption technologies, click here.

Updates to Content and Form of Breach Notification

Senate Bill 570 amends California Civil Code sections 1798.29 and 1798.82 to require government agencies and businesses to clarify the content of security breach notifications and provides a model security breach notification. All security breach notifications must now be titled “Notice of Data Breach” and present required information under the following headlines: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” The notice must be designed to call attention to the nature and significance of the matter, must be clear and conspicuous and must be in text no smaller than 10-point type.

Use of the model notification form will be deemed compliant with California’s notification requirements, and thus helpful for agencies and business when trying to understand what the notice needs to say. However, in the case of breaches affecting individuals in multiple states, when simplifying the notification process is critical, use of California’s model notice across multiple states may be problematic. For example, the “What Happened” section should not be included in notices to Massachusetts residents as that state’s law prohibits including a description of the nature of the breach or unauthorized acquisition or use.

Popular among local law enforcement, automated license plate recognition (ALPR) systems allow license plate information to be captured from videos and stored. Senate Bill 34 added new sections to California’s Civil Code, beginning with section 1798.90.5, to require that certain users of those systems – called ALPR operators – safeguard ALPR information, including a requirement to implement a usage and privacy policy in order to ensure that the collection, use maintenance, sharing and dissemination of ALPR information is consistent with respect for individuals’ privacy and civil liberties. However, the Senate Bill also amends California Civil Code sections 1798.29 and 1798.82 to include information obtained from ALPR systems in the definition of “personal information” when used along with an individual’s name. Thus, if this information is involved in a breach of security, it will trigger a notification requirement. Also, individuals harmed by unauthorized access or use of ALPR information or a breach of security of an ALPR system may bring a private right of action.

These amendments represent significant changes to the security breach notifications provisions of Civil Code sections 1798.29 and 1798.82, as well as additional protections for information obtained from APLR systems. In particular, they impact how to respond to security breaches, how to protect personal information and the scope of what information is protected. Businesses are encouraged to review their encryption policies, adopt compliant security breach notification forms and, if using an ALPR system, adopt compliant policies with respect to ALPR information and the employees who control those systems.

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently helps to co-lead the firm's Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals.

In short, his practice focuses on the matrix of laws governing the privacy, security and management of data, as well as the impact and regulation of social media. He also...

Douglas G.A. Johnston is an Associate in the San Francisco, California, office of Jackson Lewis P.C. He focuses his practice on defending employers in litigation and, in particular, against class action wage and hour allegations.

Recently, Mr. Johnston successfully argued before the U.S. Ninth Circuit Court of Appeals, defeating a challenge to the District Court’s grant of summary judgment on behalf of an employer. In addition to his litigation practice, Mr. Johnston frequently counsels employers on complying with California’s wage and hour laws.

Mr. Johnston serves as the San Francisco office’s e-discovery liaison, advising clients and colleagues on appropriate data retention practices, discovery of electronically stored information and complying with state and federal rules related to document review and production.

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558 Telephone (708) 357-3317 If you would ike to contact us via email please click here.